Post navigation

Azure AD and AADConnect bulk delete

So you are using Azure AAD Connect to sync your directory to Azure Active Directory (a.k.a AAD), and everything works just fine.

Now a security audit is happening in your corporation, and they identified many inactive or disabled users in your on premise AD that are no longer in use.

Then you went to your on premise AD and deleted all those users. If you delete more than 500 users at once from your on premise AD, then your Azure AAD Connect will refuse to sync those deletion to Azure AAD.

You may receive an email that looks like this:

Hello admin@contoso.com, At Sunday, 18 October 2015 12:11:40 GMT the Identity synchronization service detected that the number of deletions exceeded the configured deletion threshold for Contoso Corporation [Contoso.onmicrosoft.com]. A total of 800 objects were sent for deletion in this Identity synchronization run. This met or exceeded the configured deletion threshold value of 500 objects. We need you to provide confirmation that these deletions should be processed before we will proceed.

Please see Preventing Accidental Deletions for more information about the error listed in this email message. Thank you,

The Azure Active Directory Team

Why ?

When you install the Azure AD Connect, by default a feature called accidental deletes is enabled with a threshold of 500 objects. This simply means that the sync tool will not export from metaverse to azure AAD more than 500 deletes at once.

This objective of such feature is to protect you from accidental configuration changes and changes to your on-premise directory which may affect large number of users.

The default value of 500 objects is configurable by running Enable-ADSyncExportDeletionThreshold with a value that fits your organization size and requirements.

What to do?

If all the deletes are legitimate deletions, then do the following:

To temporarily disable this feature and authorize those deletions, run the PowerShell cmdlet: Disable-ADSyncExportDeletionThreshold

With the Azure Active Directory Connector still selected in AAD Connect tool, select the action Run and select Export.

To re-enable the protection run the PowerShell cmdlet: Enable-ADSyncExportDeletionThreshold